[FeatureRequest] [Android] [IOS] enforce Biometric Authentication

[test0terter0n]

We need a way to force the user to re-authenticate. Because our backend is sometimes very slow, we need a very high AuthenticationValidityDuration. This leads to the problem that if the user logs out or is logged out within the time, he can log in without a new biometric check.
Below in detail:
I am using AuthenticationValidityDuration with 10 seconds for initial token refresh when logging in:

Future<void> login() async{
   // will show biometric auth and start 10 second AuthenticationValidity
   final oldToken = await storageFile.read();
   final refreshedToken = await refreshToken(oldToken)
   await storageFile.write(refreshedToken);
}

When the backends reacts really fast and user logs out immediately after login, calling login function does not show Biometric Auth to the user, cause 10 second AuthenticationValidity is not over yet.
For this reason I need something like a forceBiometric flag when reading storageFile. This should look like:

Future<void> login() async{
   // will always show biometric auth, not depending on AuthenticationValidity
   final oldToken = await storageFile.read(forceBiometrichAuth: true);
   final refreshedToken = await refreshToken(oldToken)
   await storageFile.write(refreshedToken);
}

If there is a possibility to handle that scenario without any changes, than my request can be ignored.

[luckyrat]

Being able to essentially cancel a previous authentication period prematurely is an interesting idea but we probably need to think more about whether the API could be a little confusing or even have some security implications. E.g. does it create a false sense of security since the protected data is actually still made available by the OS if a suitable API call is made via another route? And what bugs or UX impacts might arise from the previously authenticated context remaining available for the remainder of the original grace period?

I think this library is really focussed on local authentication so I'm not sure that linking it to a remote authentication procedure is necessarily the best idea. Can you elaborate more on why you need to set your local authentication grace period to a value dictated by your remote communication procedures?

Other approaches might include storing multiple items in different stores with different grace periods (e.g. for an OAuth refresh token vs session token). The new deleteAndDispose feature I've just created in #138 might also help since it can give control over when to fully delete a stored item and reconfigure behaviour with a new validity grace period.